httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [users@httpd] How to start Apache automatically with certificate?
Date Thu, 04 Sep 2008 21:00:43 GMT
Joseph S D Yao wrote:
> On Thu, Sep 04, 2008 at 12:33:20PM -0500, William A. Rowe, Jr. wrote:
>> Joseph S D Yao wrote:
>>> On Thu, Sep 04, 2008 at 03:55:33PM +0100, Tom Evans wrote:
>>> ...
>>>> They've also suggested that their conf files be owned by root, and only
>>>> readable by the apache user, which you also disagree with.
>>> ...
>>>
>>> Nobody has come up with a good argument for this, or a refutation of my
>>> argument against it.
>> The refutation is that in order to bind to port 80, have access to keys,
>> etc, httpd must start as root.  If the conf files are owned by an "wwwadmin"
>> role user, that's fine, it's one degree removed from root.  ...
> 
> Which is all I've been saying.  Thanks for finally agreeing.

No, I disagree with you above unless the caveats and warnings that you have
elided above are restored.  People reading the above (with no context) are
likely to deploy far more vulnerable configurations than the conventional
"maintain httpd.conf files as root" wisdom.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message